October
Amazon-owned Twitch has entire source code stolen
PUBLISHED: Oct. 6, 2021
Amazon-owned video game streaming site Twitch has been the victim of a devastating hack, having its entire source code, including unreleased software, SDKs, financial reports, internal red-teaming tools, and payout rates for top streamers stolen.
An anonymous poster on the 4chan messaging board has released a 125GB torrent, which they claim includes the entirety of Twitch and its commit history. The poster claims the leak is designed to “foster more disruption and competition in the online video streaming space.” The leak has been confirmed to be legitimate and includes code that is as recent as this week. The leak is labelled as “part one,” suggesting there could be more to come.
Twitch has officially confirmed the veracity of the breach and now says it was caused by a "server configuration change" that caused "some data" to be exposed but has yet to confirm if all the data posted online is genuine, though multiple industry publications have confirmed the stolen data is indeed authentic.
The leak does not appear to include password or address information on Twitch users, but that does not mean this information has not been obtained as part of this breach. The leaker seems to have focused on sharing Twitch’s own company tools and information, rather than code that would include personal accounts.
Sources:
- The Verge, BBC News
September
UN computer networks breached by hackers earlier this year
PUBLISHED: Sept. 9, 2021
Hackers breached the United Nations’ computer networks earlier this year and made off with a trove of data that could be used to target agencies within the intergovernmental organization.
The hackers’ method for gaining access to the UN network appears to be unsophisticated: They likely got in using the stolen username and password of a UN employee purchased off the dark web.
“We can confirm that unknown attackers were able to breach parts of the United Nations infrastructure in April of 2021,” Stéphane Dujarric, spokesman for the UN Secretary-General, said in a statement on Thursday. “The United Nations is frequently targeted by cyberattacks, including sustained campaigns. We can also confirm that further attacks have been detected and are being responded to, that are linked to the earlier breach.”
“Traditionally, organizations like the United Nations have been targeted by nation state actors, but as cybercriminals are finding ways to more effectively monetize stolen data and as access to these organizations is more frequently available for sale by initial access brokers, we expect to see them increasingly targeted and infiltrated by cybercriminals,” said Allan Liska, a senior threat analyst at Recorded Future.
Source:
Bloomberg
July
Ransomware attacks on schools remain a serious concern
PUBLISHED: July 27, 2021
The Delta Covid variant isn’t the only thing threatening the safety of school reopenings this month. A wave of ransomware attacks targeting school systems could also keep students from having a “normal” school year, once again.
So far this year, ransomware attacks have disrupted 58 United States education organizations and school districts, including 830 individual schools, according to Emsisoft threat analyst Brett Callow last month. Compare that with 2020, when Emsisoft estimates that 84 incidents disrupted learning at 1,681 individual schools, colleges and universities.
“Back to school time, particularly for ransomware, is a challenging time — especially over the last couple of years when the ransomware actors have really started to focus on state and local government agencies, including school districts,” says Doug Levin, the national director of the K-12 Security Information Exchange.
Among school district IT leaders, the threat of ransomware has become a growing concern, Levin said, but institutional problems pose a challenge in making major changes to security protocols. “Just because IT is concerned, doesn’t mean that superintendents and school board members are concerned,” he said. “They are the ones who set the priorities for the district and they’re the ones in charge of the purse strings.”
The growth of cyber insurance is forcing some schools to make security a priority. If districts want a policy or lower premiums, they have to meet certain security standards — such as implementing multi-factor authentication.
“If these major corporations can’t defend themselves, and even folks in the federal government get affected by this kind of stuff, school districts really have no chance against a motivated skilled actor,” Levin said.
Sources:
- KAIT8 Local News, Emisoft
Up to 1,500 businesses infected in one of the worst ransomware attacks ever
PUBLISHED: July 6, 2021
Cybersecurity teams are working feverishly to stem the impact of the single biggest global ransomware attack on record. As many as 1,500 businesses around the world have been infected by highly destructive malware that first struck software maker Kaseya. The malware, in turn, used that access to fell Kaseya’s customers.
The attack struck on Friday afternoon in the lead-up to the three-day Independence Day holiday weekend in the US. Hackers affiliated with REvil, a private ransomware-as-a-service (RaaS) group believed to be affiliated with Russia, exploited a zero-day vulnerability in the Kaseya VSA remote management service, which the company says is used by 35,000 customers. The REvil affiliates then used their control of Kaseya’s infrastructure to push a malicious software update to customers, who are primarily small-to-midsize businesses.
According to Kaseya CEO Fred Voccola, less than 0.1% of the company's customers were embroiled in the breach -- but as their clientele includes MSPs, this means that smaller businesses have also been caught up in the incident.
Mr. Biden suggested Saturday the U.S. would respond if it was determined that the Kremlin is at all involved. Less than a month ago, he pressed Russian President Vladimir Putin to stop giving safe haven to REvil and other ransomware gangs whose unrelenting extortionary attacks the U.S. deems a national security threat.
Sources:
- CBS News, Ars Technica
June
Electronic Arts hacked and source code stolen
PUBLISHED: June 10, 2021
Hackers have stolen valuable information from major game publisher Electronic Arts (EA), the company said.
The attackers claimed to have downloaded source code for games such as FIFA 21 and for the proprietary Frostbite game engine used as the base for many other high-profile games.
News of the hack was first reported by news site Vice, which said some 780GB of data was stolen. EA said no player data had been stolen in the breach.
The firm is one of the largest games companies in the world. It counts major series such as Battlefield, Star Wars: Jedi Fallen Order, The Sims, and Titanfall among the titles it develops or publishes - as well as a vast array of annual sports games.
Electronic Arts has tightened security since the incident and is “actively working with law-enforcement officials and other experts as part of this ongoing criminal investigation,” the company said.
Sources:
- Bloomberg, BBC News
Mass. Steamship Authority Hit by Ransomware Attack; Ferries Delayed
PUBLISHED: June 2, 2021
A ransomware attack on the Steamship Authority of Massachusetts hampered operations Wednesday morning. The largest ferry service to the islands of Martha's Vineyard and Nantucket, the Steamship Authority issued a statement warning that traveling customers may be delayed as a result.
"The Woods Hole, Martha’s Vineyard and Nantucket Steamship Authority was the target of a ransomware attack early Wednesday, June 2, 2021," the company said. "The Authority continues to work internally, as well as with federal, state and local authorities, to determine the extent and origin of the attack."
The company said there was no impact to the safety of vessel operations, saying the issue was not affecting radar or GPS functionality. "Scheduled trips to both islands continue to operate, although customers may experience some delays during the ticketing process," the company said. "The Authority continues to work internally, as well as with federal, state and local authorities, to determine the extent and origin of the attack."
Sources:
- WCVB, NBC10 Boston
May
CNA Financial paid $40 Million in ransom after March cyberattack
PULISHED: May 20, 2021
CNA Financial Corp., among the largest insurance companies in the U.S., paid $40 million in late March to regain control of its network after a ransomware attack, according to people with knowledge of the attack.
The Chicago-based company paid the hackers about two weeks after a trove of company data was stolen, and CNA officials were locked out of their network, according to two people familiar with the attack who asked not to be named because they weren’t authorized to discuss the matter publicly.
In a statement, a CNA spokesperson said the company followed the law. She said the company consulted and shared intelligence about the attack and the hacker’s identity with the FBI and the Treasury Department’s Office of Foreign Assets Control, which said last year that facilitating ransom payments to hackers could pose sanctions risks.
“CNA is not commenting on the ransom,” spokeswoman Cara McCall said. “CNA followed all laws, regulations, and published guidance, including OFAC’s 2020 ransomware guidance, in its handling of this matter.”
In a security incident update published on May 12, CNA said it did “not believe that the systems of record, claims systems, or underwriting systems, where the majority of policyholder data – including policy terms and coverage limits – is stored, were impacted.”
Ransomware attacks -- and particularly payments -- are rarely disclosed so it’s difficult to know what the biggest ransoms have been. The average payment in 2020 was $312,493, according to Palo Alto Networks, a 171% increase over the previous year. The $40 million payment is bigger than any previously disclosed payments to hackers, according to three people familiar with ransomware negotiations.
Source:
- Bloomberg
Cybersecurity firms may have inadvertently aided hackers in Colonial Pipeline attack
PUBLISHED: May 24, 2021
On January 11, antivirus company Bitdefender said it was “happy to announce” a startling breakthrough. It had found a flaw in the ransomware that a gang known as DarkSide was using to freeze computer networks of dozens of businesses in the US and Europe. Companies facing demands from DarkSide could download a free tool from Bitdefender and avoid paying millions of dollars in ransom to the hackers.
But Bitdefender wasn’t the first to identify this flaw. Two other researchers, Fabian Wosar and Michael Gillespie, had noticed it the month before and had begun discreetly looking for victims to help. By publicizing its tool, Bitdefender alerted DarkSide to the lapse, which involved reusing the same digital keys to lock and unlock multiple victims. The next day, DarkSide declared that it had repaired the problem, and that “new companies have nothing to hope for.”
“Special thanks to BitDefender for helping fix our issues,” DarkSide said. “This will make us even better.”
DarkSide soon proved it wasn’t bluffing, unleashing a string of attacks. This month, it paralyzed the Colonial Pipeline Co., prompting a shutdown of the 5,500-mile pipeline that carries 45% of the fuel used on the East Coast—quickly followed by a rise in gasoline prices, panic buying of gas across the Southeast, and closures of thousands of gas stations. Absent Bitdefender’s announcement, it’s possible that the crisis might have been contained, and that Colonial might have quietly restored its system with Wosar and Gillespie’s decryption tool.
Instead, Colonial paid DarkSide $4.4 million in Bitcoin for a key to unlock its files. “I will admit that I wasn’t comfortable seeing money go out the door to people like this,” CEO Joseph Blount told the Wall Street Journal.
The missed opportunity was part of a broader pattern of botched or half-hearted responses to the growing menace of ransomware, which during the pandemic has disabled businesses, schools, hospitals, and government agencies across the country. The incident also shows how antivirus companies eager to make a name for themselves sometimes violate one of the cardinal rules of the cat-and-mouse game of cyberwarfare: Don’t let your opponents know what you’ve figured out.
Source:
- MIT Technology Review
DC Police victim of massive data leak by ransomware gang
PUBLISHED: May 13, 2021
The police department in the nation’s capital has suffered a massive leak of internal information after refusing to meet the blackmail demands of Russian-speaking ransomware syndicate. Experts say it’s the worst known ransomware attack ever to hit a U.S. police department.
The gang, known as the Babuk group, released thousands of the Metropolitan Police Department’s sensitive documents on the dark web Thursday. A review by The Associated Press found hundreds of police officer disciplinary files and intelligence reports that include feeds from other agencies, including the FBI and Secret Service.
Some of the documents include security information from other law enforcement agencies related to President Joe Biden’s inauguration, including a reference to a “source embedded” with a militia group.
The police department did not immediately return a request for comment, but has previously said some officers’ personal information was stolen.
The department has not said whether it made the offer. Any negotiations would reflect the complexity of the ransomware problem, with police finding themselves forced to consider making payments to criminal gangs. The FBI, which is assisting in this case, discourages ransomware payments.
The group revealed the attack last month, threatening then to leak the identities of confidential informants. The data release revealed Thursday is massive and it was not immediately clear if it included informants’ names.
Source:
- Associated Press
Updated - Colonial Pipeline victim of ransomware attack
PBLISHED: May 9, 2021
Update II:
Colonial Pipeline Co. paid nearly $5 million to Eastern European hackers on Friday, contradicting reports earlier this week that the company had no intention of paying an extortion fee to help restore the country’s largest fuel pipeline, according to two people familiar with the transaction.
The company paid the hefty ransom in difficult-to-trace cryptocurrency within hours after the attack, underscoring the immense pressure faced by the Georgia-based operator to get gasoline and jet fuel flowing again to major cities along the Eastern Seaboard, those people said. A third person familiar with the situation said U.S. government officials are aware that Colonial made the payment.
Sources:
Bloomberg
Update:
Colonial Pipeline said Wednesday "it initiated the restart" of operations after having to shut off the conduit following a cyberattack last week.
The pipeline was set to resume operations around 5 p.m. ET, but the company said "it will take several days for the product delivery supply chain to return to normal." Colonial Pipeline Co. had to shut it down Saturday following a ransomware attack.
Sources:
- USA Today
Original Story:
Top U.S. fuel pipeline operator Colonial Pipeline has shut its entire network after a ransomware attack, the company said in a statement on Friday.
Colonial's network supplies fuel from U.S refiners on the Gulf Coast to the populous eastern and southern United States. The company transports 2.5 million barrels per day of gasoline, diesel, jet fuel and other refined products through 5,500 miles of pipelines. The company says it transports 45 percent of East Coast fuel supply.
"We have since determined that this incident involves ransomware," Colonial Pipeline said. "In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems."
The private cybersecurity firm FireEye said it's been hired to manage the incident response investigation.
In response to the scale and scope of the incident, the US government has relaxed rules on fuel being transported by road, allowing drivers in 18 states to work extra or more flexible hours when transporting refined petroleum products.
The government is planning for various scenarios and working with state and local authorities on measures to mitigate any potential supply issues, officials said Saturday. The attack is unlikely to affect gasoline supply and prices unless it leads to a prolonged shutdown, experts said.
Sources:
- NBC News, Bloomberg, BBC
April
Homeland Security Secretary backs call for mandatory disclosure of ransomware payments
PUBLISHED: April 29, 2021
The Department of Homeland Security will work with a private-sector think tank to implement a report of recommendations for slowing the scourge of ransomware, including one that would require victims to report when they give in and make a payment, according to DHS Secretary Alejandro Mayorkas.
The report reflects the work of a ransomware task force convened by the Silicon Valley-based Institute for Security and Technology that included 60 experts from software companies, cybersecurity vendors, government agencies, non-profits, academic institutions, cybersecurity insurers and international organizations, according to the document.
“The task force's report provides a vision for what we can do to better address this urgent problem,” Mayorkas said. “DHS looks forward to working closely with the task force to turn its recommendations into action.”
Last year saw an exponential increase in the number and size of ransomware payments entities—often schools, hospitals and other critical service providers and local governments—made to hackers who encrypt or threaten to publicly release their data unless they’re paid not to.
Jen Ellis, a task force member and vice president of cybersecurity firm Rapid 7, stressed the importance of the recommendation to mandate the disclosure of payments so that law enforcement can have a better understanding of the threat and to discourage ransom payment. She said the information would be anonymized to prevent organizations from being “re-victimized.”
Sources:
- NextGov
Biden prepping cybersecurity executive order in response to SolarWinds attack
PUBLISHED: April 29, 2021
President Biden is preparing a cybersecurity executive order focused on helping the country protect itself from future cyberattacks following the sophisticated SolarWinds hack that was discovered in December.
The order, which is still being drafted, lays out a series of new requirements for companies that do business with the government. The initiative includes plans for more systematic investigations of cyber events and standards for software development. The idea is to use the federal contracting process to force changes that will eventually trickle down to the rest of the private sector.
"So essentially, federal government procurement allows us to say, 'If you're doing business with the federal government, here's a set of things you need to comply with in order to do business with us,'" said Anne Neuberger, the deputy national security adviser for cyber and emerging technology at the White House.
The SolarWinds attack, believed to be perpetrated by Russian hackers, was discovered last year. The hackers exploited software from the IT group SolarWinds, which helped them gain access to as many as 18,000 customers. A smaller number of the customers' systems, however, were compromised by follow-on activity.
As a result, nine federal agencies and 100 private-sector groups were compromised during the months-long operation.
Sources:
- NPR, The Hill
D.C. Police Department Victim Of Apparent Ransomware Attack
PUBLISHED: April 27, 2021
Potentially sensitive information from the Washington, D.C., police department was allegedly breached by a ransomware attack from a group seeking a payout.
A group called Babuk claimed to be behind the attack. Babuk is known for ransomware attacks, which hold victims’ data hostage until they pay a ransom, often in Bitcoin. On a post made on its website, the group threatened to release information pulled from the department's systems if they were not paid an undisclosed amount. The group also hit the Houston Rockets N.B.A. team this month.
In their post to the dark web, Babuk’s cybercriminals claimed they had downloaded 250 gigabytes of data and threatened to leak it if their ransom demands were not met in three days. They also threatened to release information about police informants to criminal gangs, and to continue attacking “the state sector,” including the F.B.I. and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. The information already released appeared to include chief’s reports, lists of arrests and lists of persons of interest.
Targeting an organization like the Metropolitan Police Department makes sense, says Rob Pritchard, founder of CyberSecurityExpert.com, as police can't tolerate a long outage and are more likely to pay to take back control of their data and systems.
If the police department did pay to regain control of its data, it may mean other law enforcement agencies could become similar targets, Pritchard said.
"Expect more local police groups to be targeted," he said.
Sources:
- New York Times, NPR
Broward County Public Schools, sixth largest U.S. school district, targeted by massive ransomware
PUBLISHED: April 1, 2021
Broward County Public Schools, the sixth largest school district in the United States, said Thursday it had been the target of a massive ransomware attack. This comes just weeks after a high-profile attack on the Buffalo Public Schools as well as a water treatment facility in Oldsmar, Florida.
The hackers were able to encrypt some of the Fort Lauderdale-based district's data in March and initially demanded a $40 million cryptocurrency payment or they would erase the files and publish the personal information of students and employees online. Broward said Thursday it made no extortion payment and that no personal information had been published online. The district added that it is working with cybersecurity experts to shore up its computer systems and restore affected systems.
Screenshots of negotiations between Broward County Public Schools and the hackers show that at one point the school district offered $500,000 to restore the data, according to WPTV, an NBC-affiliated television station.
The attack briefly shutdown the district’s computer system in early March, but classes were not disrupted.
Source:
- Yahoo News
March
Ransomware attacks on the rise in the trucking industry
PUBLISHED: March 15, 2021
Bitdefender, a cybersecurity research organization and anti-malware developer, reports ransomware attacks were up 715% year over year in the first half of 2020 — and truck fleets were among the victims.
“Just about every month there was a transportation-related company that had experienced some form of ransomware or cyberattack,” says Sharon Reynolds, chief information security officer (CISO) of Omnitracs, a trucking fleet intelligence platform.
Advances in telematics, an interdisciplinary field that encompasses telecommunications, vehicular technologies, electrical engineering, and computer science, has seen the trucking industry become increasingly interconnected, bringing with it a sharp increase in the number of mobile phone applications that connect with trucks and the software-as-a-service (SaaS) offerings that power backend systems.
But Reynolds points to basic email messages as one of the most widely exploited tools when it comes to launching malware, particularly ransomware – the malware that encrypts computer files until someone pays a ransom. “Right now, it feels like transportation is definitely being targeted. These groups have figured out that distraction to the supply chain is a cause for concern,” Reynolds says. Truck fleets aren’t necessarily more vulnerable. It’s just appears to be this sector’s turn.”
As for fleets that have questioned whether having a security leader or other cyber support is worth the investment?
“It might be time to re-evaluate that,” she says.
Source:
- Truck News
HAFNIUM targeting Exchange Servers with 0-day exploits
PUBLISHED: March 16, 2021
Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.
More details from Microsoft can be viewed at these links.
- Microsoft Security Response Center
Massachusetts-based payroll/HR giant hit by ransomware
PUBLISHED: March 2, 2021
Prism HR, a Hopkinton, Massachusetts-based company that sells human resources software to more than 80,000 small businesses, has suffered what appears to be an ongoing ransomware attack that is disrupting many of its services.
The company handles everything from human sources and payroll processing to health insurances and tax forms for hundreds of “professional employer organizations” (PEOs) that serve more than two million employees. The company processes more than $80 billion payroll payments annually on behalf of PEOs and their clients. Countless small businesses turn to PEOs in part because they simplify compliance with various state payroll taxes, and because PEOs are the easiest way for small businesses to pool their resources and obtain more favorable health insurance rates for their employees.
PrismHR has not yet responded to requests for comment. In a template email it suggested PEO partners share with their customers, Prism explained “the outage may extend throughout today and possibly later, with potential impact on payroll processing”.
The company has yet to reveal the exact nature of the service disruptions, but their actions so far align with industry standard recommendations for responding to a ransomware outbreak.
Ransomware renders any files it touches unreadable unless and until a victim pays for a digital key needed to unlock the encryption on them. Worse, it has become almost a best practice among ransomware criminal groups to steal as much data as possible from the victim organization prior to unleashing the ransom malware within a target environment.
PrismHR said in a statement to its PEO customers that while its investigation and response to the incident is ongoing, the company “is not aware of any sensitive data being breached or compromised.”
Source:
- Krebs on Security
February
Senate Intel Committee to conduct open hearing on SolarWinds Hack
PUBLISHED: Feb. 23, 2021
The Senate Intelligence Committee on Tuesday will hold the first public congressional hearing on the SolarWinds hack. The panel previously received a closed-door briefing about the incident from the NSA, the FBI, CISA and ODNI, and held an informal session with FireEye CEO Kevin Mandia, whose company discovered the compromise.
The hearing will take place today, Tuesday, February 23rd at 2:30PM ET.
Source:
- C-SPAN
New strain of malware discovered on 30,000 Macs
PUBLISHED: Feb. 20, 2021
A previously undetected piece of malware found on almost 30,000 Macs worldwide is generating intrigue in security circles, and security researchers are still trying to understand precisely what it does and what purpose its self-destruct capability serves.
The malware, dubbed Silver Sparrow, forces infected Macs to check a control server once an hour to see if there are any new commands the malware should run or binaries to execute. Researchers have yet to observe delivery of any payload on any of the infected 30,000 machines, leaving the malware’s ultimate goal unknown. The lack of a final payload suggests that the malware may spring into action once an unknown condition is met.
Curiously, the malware contains a mechanism to completely remove itself, a capability typically reserved for high-stealth operations. There are no signs as of yet that the self-destruct feature has been used, raising the question of why the mechanism exists.
The malware has been found in 153 countries with detections concentrated in Germany, France, the UK, Canada, and the United States.
“To me, the most notable [thing] is that it was found on almost 30K macOS endpoints... and these are only endpoints the MalwareBytes can see, so the number is likely way higher,” Patrick Wardle, a macOS security expert, wrote in an Internet message. “That’s pretty widespread... and yet again shows the macOS malware is becoming ever more pervasive and commonplace, despite Apple’s best efforts.”
Red Canary, the security firm that discovered the malware, has provided indicators of compromise in a blog post report located on its website.
Sources:
- Ars Technica, Red Canary
Hackers target Florida town’s water supply
PUBLISHED: Feb. 9, 2021
Hackers remotely accessed the water treatment plant of a small Florida city last week and briefly changed the levels of lye in the drinking water, in the kind of critical infrastructure intrusion that cybersecurity experts have long warned about.
The attack in Oldsmar, a city of 15,000 people in the Tampa Bay area, was caught before it could inflict harm, Sheriff Bob Gualtieri of Pinellas County said at a news conference on Monday. He said the level of sodium hydroxide — the main ingredient in drain cleaner — was changed from 100 parts per million to 11,100 parts per million, dangerous levels that could have badly sickened residents if it had reached their homes.
The authorities said the plot unfolded last Friday morning, when an employee noticed that someone was controlling his computer. He initially dismissed it because the city has software that allows supervisors to access computers remotely. But about five and a half hours later, the employee saw that different programs were opening and that the level of lye changed.
In a tweet, Senator Marco Rubio, Republican of Florida, said the attempt to poison the water supply should be treated as a “matter of national security.”
No suspects have been identified in the Oldsmar attack, and it was unclear on Monday whether the hackers were in the United States or abroad. The F.B.I. and the U.S. Secret Service have been notified.
The process of attributing the attack could take months — or longer.
Source:
- New York Times
Video game and digital entertainment studios remain prime targets for ransomware attacks
PUBLISHED: Feb. 9, 2021
Another video game studio has revealed they were the victim of a ransomware attack. CD Projekt S.A., creator of AAA digital products including The Witcher 3 and Cyberpunk 2077, said on Tuesday that the perpetrators of the attack were threatening to sell or leak proprietary source code and share internal documents with their “contacts in gaming journalism”. The attack comes after several high-profile stories alleging an unhealthy work culture within CD Projekt S.A and the company’s demands on its staff. The ransom note left by the attackers alludes to these allegations.
The attackers have also dumped or threatened to dump “documents related to accounting, administration, legal, HR, investor relations and more.”
“We will not give in to the demands nor negotiate with the actor, being aware that this may eventually lead to the release of the compromised data,” CD Projekt Red wrote in response. It added that although some devices in its network have been encrypted, “our backups remain intact,” and it has secured its IT infrastructure and started restoring data.
This follows a similar ransomware attack in November against Capcom, a Japanese multi-national studio responsible for a number of multi-million-selling game franchises including Resident Evil and Street Fighter.
Sources:
- Bloomberg, Wall Street Journal
January
Malwarebytes becomes fourth major security firm targeted by SolarWinds hackers
PUBLISHED: Jan. 19, 2021
The creator of a popular anti-virus software, Malwarebytes, said on Tuesday that some of its emails were breached by the same hackers who used the software company SolarWinds to hack into a series of U.S. government agencies. This makes Malwarebytes the fourth major security firm, after Microsoft, FireEye, and CrowdStrike, to be targeted by this same group.
Malwarebytes said the intrusion is unrelated to the SolarWinds supply chain incident since the company doesn't use any of SolarWinds software in its internal network but rather that hackers breached its internal systems by exploiting a dormant email protection product within its Office 365 and Microsoft Azure environments. The company confirmed the hackers were able to gain access to a “limited subset of internal company emails” but found no evidence of unauthorized access or compromise of its production environments.
Mandiant, a cybersecurity research firm, recently released a report alleging the perpetrators behind the SolarWinds supply chain attack leveraged four separate techniques to bypass identity and access management protections and laterally move from victims’ on-premise networks to their cloud-based Microsoft 365 accounts.
Sources:
- Reuters, FireEye Inc
FBI investigation of SolarWinds hack widens to include project-management software from JetBrains
PUBLISHED: Jan. 6, 2021
The FBI is investigating whether the hackers behind a series of intrusions at U.S. federal agencies and companies also broke into project-management software created by the company JetBrains to breach its customers. JetBrains, a privately held Czech-based company whose chief executive, Maxim Shafirov, is a Russian national, produces software called TeamCity that is used by tens of thousands of customers to construct other software.
Reporting suggests that US officials are looking at a scenario where Russian hackers breached JetBrains and then launched attacks on its customers, one of which was SolarWinds.
The company responded Thursday with a published statement denying reports from both the New York Times and the Wall Street Journal claiming that JetBrains is under investigation for possibly being involved in the SolarWinds hack that impacted thousands of companies across the globe. Safirov confirmed from St. Petersburg, Russia, where JetBrains has offices, that SolarWinds is amongst JetBrains’ many customers.
SolarWinds revealed last month that someone with access to its system for developing network-management software had inserted back doors into two updates of its flagship Orion products. Dozens of SolarWinds customers, including at least a half-dozen U.S. agencies, were then exploited by the same hackers. U.S. intelligence agencies said Tuesday that Russia was likely behind the damaging spree, though Russian officials denied it.
“We are not aware of any investigation nor have we been contacted by any agencies,” a JetBrains spokesman said. “We are not aware of any vulnerabilities in the product or breaches that would allow for this, nor that any of our customers were affected.”
Vulnerabilities in TeamCity have been publicly reported and rated “critical” in the past, as is true with most big software.
Sources:
- Reuters, Wall Street Journal, New York Times
SolarWinds hires former cyber security chief Chris Krebs to help navigate post-hack fallout
PUBLISHED: Jan. 7, 2021
SolarWinds, the embattled network software firm, has hired former US government cyber security chief Chris Krebs to assist the company in navigating the fallout of what is quickly proving to be one of the most intrusive cyber attacks in our nation’s history. Krebs will spearhead the company’s crisis response efforts alongside his new business partner Alex Stamos, a Stanford University professor and Facebook’s former security chief.
Investigations on the full scale and scope of the campaign continue, but some experts have reported that it may stretch back years and remain ongoing. US intelligence officials confirmed this week that they had identified “fewer than 10” federal agencies that had been compromised, including the Commerce, Energy, and Justice departments. The electronic filing system used by the federal courts was also compromised, the US judiciary said on Thursday.
Speaking to the Financial Times, Krebs said there was “zero question” amongst the intelligence community that the SVR, Russia’s foreign intelligence service, was responsible for the attack.
Krebs, who has extensive experience in risk management and national and infrastructure security, oversaw the Cybersecurity & Infrastructure Security Agency until his ousting in November for challenging claims that the US presidential election had been widely compromised by fraud and foreign interference.
Sources:
- Reuters, Krebs on Security